Reputation: 2773
Store API Key within Keystore
I inherited an app that calls services that are protected by an API key that unfortunately is embedded in the app. Obviously, this is not ideal so I am looking to embed the API key within Android Keystore. I have used libraries such as https://github.com/scottyab/secure-preferences in the past on other Android apps but in this case, that security would not pass a security audit.
Reading this: https://medium.com/@ericfu/securely-storing-secrets-in-an-android-application-501f030ae5a3 I get everything but how to get API key in the keystore initially as part of the build. Ideally, I would have the API key returned as part of the login process so it is inserted at runtime but unfortunately, I cannot alter the login service at this time.
I have read numerous posts such as: Best practice for storing and protecting private API keys in applications but most are focusing on keeping your keys out of the source code repository.
So, the ask is: Is there a gradle build mechanism (or any mechanism) that can insert a specific piece of data into the Android Keystore at build time?
Upvotes: 6
Views: 2993
Answers (1)
Reputation: 1007321
Is there a gradle build mechanism (or any mechanism) that can insert a specific piece of data into the Android Keystore at build time?
By definition, that is not possible. The AndroidKeyStore is on users' Android devices, not on developer machines. At build time, your app is not on the users' Android devices and cannot do anything with them.
Upvotes: 10
Related Questions
- How to securely store a hardcoded API key on Android?
- How to store private key in android keystore?
- Android: Store SecretKey in KeyStore
- Storing private keys in keystore in Android
- Storing a secret key in Android KeyStore using API 18 and Above
- Store AES key in Android
- Storing keys in Android
- How to store key using Android Key Store Provider
- Android Keystore Provider - How to store an API key
- Android - Storing private keys in keystore